Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 808681 (CVE-2021-38385, TROVE-2021-007)

Summary: <net-vpn/tor-{0.4.5.10, 0.4.6.7}: Denial of service (CVE-2021-38385)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://lists.torproject.org/pipermail/tor-packagers/2021-August/000128.html
Whiteboard: B3 [glsa+]
Package list:
net-vpn/tor-0.4.5.10 net-vpn/tor-0.4.6.7
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-17 04:49:11 UTC
See https://lists.torproject.org/pipermail/tor-packagers/2021-August/000128.html.

Description:
"
    - Resolve an assertion failure caused by a behavior mismatch between
      our batch-signature verification code and our single-signature
      verification code. This assertion failure could be triggered
      remotely, leading to a denial of service attack. We fix this issue
      by disabling batch verification. Fixes bug 40078; bugfix on
      0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and
      CVE-2021-38385. Found by Henry de Valence.
"

Releases (for us): 0.4.5.10, 0.4.6.7. Please bump, thanks!
Comment 1 Anthony Basile gentoo-dev 2021-08-17 14:03:53 UTC
These are in the tree now.  Tor is very good about pushing out working products, so let's go ahead and stabilize.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-17 14:20:59 UTC
(In reply to Anthony Basile from comment #1)
> These are in the tree now.  Tor is very good about pushing out working
> products, so let's go ahead and stabilize.

Thanks!
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-17 21:38:24 UTC
ppc done
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-17 21:38:32 UTC
ppc64 done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-18 01:41:13 UTC
arm done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-18 01:45:52 UTC
x86 done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-19 01:06:14 UTC
arm64 done
Comment 8 Agostino Sarubbo gentoo-dev 2021-08-19 01:26:33 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 9 Anthony Basile gentoo-dev 2021-08-24 20:18:57 UTC
(In reply to Agostino Sarubbo from comment #8)
> amd64 stable.
> 
> Maintainer(s), please cleanup.
> Security, please vote.

the vulnerable version is off the tree
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-24 20:23:32 UTC
(In reply to Anthony Basile from comment #9)
> (In reply to Agostino Sarubbo from comment #8)
> > amd64 stable.
> > 
> > Maintainer(s), please cleanup.
> > Security, please vote.
> 
> the vulnerable version is off the tree

Thanks!
Comment 11 NATTkA bot gentoo-dev 2021-09-22 15:28:29 UTC
Unable to check for sanity:

> no match for package: net-vpn/tor-0.4.5.10
Comment 12 Anthony Basile gentoo-dev 2021-09-22 15:29:41 UTC
(In reply to NATTkA bot from comment #11)
> Unable to check for sanity:
> 
> > no match for package: net-vpn/tor-0.4.5.10

I've dropped 0.4.5.10 from the tree.  There's no reason to keep it with 0.4.6.7.
Comment 13 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-27 05:52:19 UTC
GLSA request filed
Comment 14 Larry the Git Cow gentoo-dev 2023-05-03 09:54:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=464847c4e70c07cfb07a8715f613e418da18698e

commit 464847c4e70c07cfb07a8715f613e418da18698e
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-03 09:53:19 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-03 09:54:23 +0000

    [ GLSA 202305-11 ] Tor: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/808681
    Bug: https://bugs.gentoo.org/852821
    Bug: https://bugs.gentoo.org/890618
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202305-11.xml | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)